Downgrade from Panorama 8.0

Procedure on how to downgrade from Panorama 8.0 to Panorama 7.1.
Panorama 8.0 introduced enhanced logging capabilities. However, this format is not backwards compatible with Panorama or Log Collectors running a release earlier than Panorama 8.0. Before you downgrade Panorama, Log Collectors, and firewalls, use the following workflow to first migrate logs to the pre-PAN-OS 8.0 log format. Then, downgrade firewalls before you downgrade Log Collectors and Panorama running a Panorama 8.0 release to an earlier feature release. This procedure works for both Panorama managing a local Log Collector and managing one or more Dedicated Log Collectors.
Review the Palo Alto Networks Compatibility Matrix to confirm that the firewalls and appliances you intended to downgrade are compatible with PAN-OS 7.1. For example, PA-220, PA-800 Series, PA-5200 Series and some VM-Series firewalls are not supported on any release earlier than PAN-OS 8.0 and you cannot manage these firewalls from Panorama after you downgrade Panorama to Panorama 7.1. For the firewalls and appliances that you can downgrade, you should also review the Upgrade/Downgrade Considerations to ensure that you account for all features and configuration settings that will be different or unavailable after you downgrade.
Migrating logs is not a required step. If you do not need to access your existing log data, or are planning to upgrade back to a Panorama 8.0 release soon, then you can avoid migrating your logs. However, if access to previous log data is required, continue with the log migration task. Before you begin this downgrade, schedule a maintenance window that can accommodate the log migration task, which takes approximately 24 hours for each 2TB of data, during which you cannot query or search logs, generate reports, or push configuration changes to Log Collectors undergoing migration. The downgrade workflow involves first upgrading your Panorama and Log Collectors to Panorama 8.0.2 before you migrate logs and downgrade Log Collectors or Panorama. If the Log Collectors aggregate logs from firewalls running PAN-OS 8.0, you must also downgrade those firewalls to the same or an earlier release than the release version to which you are downgrading Panorama.
  1. Save a backup of the Panorama and managed devices configuration files.
    1. Export Panorama and device configuration snapshot (PanoramaSetupOperations).
    2. Save the exported .tgz file to a location external to Panorama, Log Collectors, or firewalls. You can use this backup to restore the configuration if you experience problems that cause you to start over.
  2. (Panorama and Log Collectors running Panorama 8.0 or 8.0.1 only) Upgrade Panorama and Log Collectors to Panorama 8.0.2 or later release.
    Panorama 8.0 introduced a new log format that previous releases do not support. However, the ability to migrate the log format was introduced in Panorama 8.0.2. As a result, you will first need to upgrade the software to Panorama 8.0.2 from an 8.0 or 8.0.1 release before migrating the log format and software to Panorama 7.1.
    Use the following procedures to upgrade Panorama and Log Collectors to Panorama 8.0.2 or later release as needed:
    1. Install content and then software updates forPanorama.
    2. Deploy content and then software updates to LogCollectors.
  3. Save a backup of the Panorama and managed devices configuration files.
    1. Export Panorama and device configuration snapshot (PanoramaSetupOperations).
    2. Save the exported .tgz file to a location external to Panorama, Log Collectors, or firewalls. You can use this backup to restore the configuration if you experience problems that cause you to start over.
  4. Downgrade each firewall running a PAN-OS 8.0 release.
    If downgrading more than one firewall, streamline the process by having each firewall-specific PAN-OS 7.1 image downloaded to Panorama before you start downgrading. For example, to downgrade your PA-200, PA-3050, and PA-5060 firewalls to PAN-OS 7.1, download the PanOS_700-7.1.0, PanOS_3000-7.1.0, and PanOS_5000-7.1.0 images.
    Panorama requires that all firewalls are running the same or an earlier PAN-OS release. Thus, before you can downgrade Panorama, use and repeat the appropriate tasks below according to your environment to downgrade all managed firewalls:
    1. Check Now for available images (PanoramaDevice DeploymentSoftware).
    2. Locate the PAN-OS 7.1 image for each model or series of firewalls you intend to downgrade. If the image is not already downloaded, then Download it.
    Non-HA Firewalls
    Click Install in the Action column for the PAN-OS 7.1 version, select all the firewalls you intend to downgrade, select Reboot device after install, and click OK.
    Active/Active HA Firewalls
    1. Click Install, disable (clear) Group HA Peers, select either of the HA peers, select Reboot device after install, and click OK. Wait for the firewall to finish rebooting before you proceed.
    2. Click Install, disable (clear) Group HA Peers, select the HA peer that you didn’t update in the previous step, select Reboot device after install, and click OK.
    Active/Passive HA Firewalls
    In this example, the active firewall is named fw1 and the passive firewall is named fw2:
    1. Click Install in the Action column for the appropriate update, clear Group HA Peers, select fw2, select Reboot device after install, and click OK.
    2. After fw2 finishes rebooting, verify fw1 (DashboardHigh Availability widget) that fw2 is still the passive peer (the Local firewall state is active and the Peer-fw2 is passive).
    3. Access fw1 and Suspend local device (DeviceHigh AvailabilityOperational Commands).
    4. Access fw2 (DashboardHigh Availability widget) and verify that the Local firewall state is active and the Peer firewall is suspended.
    5. Access Panorama, select PanoramaDevice DeploymentSoftware, click Install in the Action column for the appropriate update, clear Group HA Peers, select fw1, select Reboot device after install, and click OK. Wait for fw1 to finish rebooting before you proceed.
    6. Access fw1 (DashboardHigh Availability widget) and verify that the Local firewall state is passive and the Peer (fw2) is active.
      If you enabled preemption in the Election settings (DeviceHigh AvailabilityGeneral), then fw1 will be reinstated as the active peer after reboot.
  5. Before downgrading a Log Collector, disable log forwarding to that Log Collector to avoid losing the log data during migration.
    Make sure to not push the configuration changes to any device group or template. This will apply the new IP addresses to the devices, and log forwarding will continue.
    You will need to temporarily disable log forwarding to avoid data loss and avoid putting unnecessary stress on devices undergoing log migration. Logs generated during the migration will be buffered on the firewall, and forwarded to the designated location once log forwarding is enabled.
    Make sure to keep track of the original IP addresses that will be edited to disable log forwarding. You will need to restore these IPs to re-enable log forwarding.
    For Panorama in Panorama Mode:
    1. Select PanoramaSetupInterfaces and select Management.
    2. Change the IP Address to different routable IP address and click OK.
    3. If a dedicated port on Panorama is used for log forwarding, select the port and disable (clear) Device Management and Device Log Collection. Repeat this step for all dedicated ports used for log forwarding.
      To quickly identify if a dedicated port is used for log forwarding, refer to the Services Enabled column and confirm that Device Management and Log Collection is listed.
    4. Commit to Panorama. Do not push the configuration change to devices, as it will push the new Management IP address to the firewalls and log forwarding will continue.
    5. Log back in to Panorama using the new IP address.
    6. Select Push to Devices and Edit Selections. You will need to Deselect All Device Groups and Templates, and Select All Collector Groups. Click OK and Push.
    For Panorama with logs forwarded to Dedicated Log Collectors undergoing downgrade:
    1. Select PanoramaManaged Collectors, select a Dedicated Log Collector that will undergo downgrade from Panorama 8.0 and select Interfaces.
    2. Select Management and change the IP Address to a different routable IP address and click OK.
    3. If a dedicated port on Panorama is used for log forwarding, select the port and disable (clear) Device Management and Device Log Collection. Repeat this for all dedicated ports used for log forwarding.
      To quickly identify if a dedicated port is used for log forwarding, refer to the Services Enabled column and confirm Device Management and Log Collection is listed.
    4. Click OK to exit the configuration screen and Commit to Panorama.
    5. Select Push to Devices and Edit Selections. You will need to Deselect All Device Groups and Templates, and Select All Collector Groups. Click OK and Push.
  6. Migrate existing logs to the pre-8.0 format so Panorama and Log Collectors can read log data after the downgrade.
    You cannot pause or stop the migration after you begin. Disrupting the migration will cause some or all log data to become inaccessible. If the log migration is interrupted for any reason, repeat this step to restart the migration process. The migration will start anew, and not pick up from the point where the disruption occurred.
    Migrating your logs is not a required step. If you do not need to access your existing logs, or are planning to upgrade back to Panorama soon, then avoid migrating your logs. Existing log data will be accessible again once Panorama and Log Collectors have been upgraded back to an 8.0 or later release. However, if access to your previous logs is required, continue with the log migration task.
    During the migration, you cannot search within or query logs or generate reports and Panorama and Log Collectors cannot receive any new logs.
    1. Access the Panorama CLI.
    2. Migrate logs to the pre-8.0 format using the commands appropriate for your environment:
      • On Panorama with a local Log Collector or on a Dedicated Log Collector:
      request logdb downgrade
      • On Panorama for each Collector Group:
      request logdb downgrade collector-group <collector-group-name>
  7. Monitor the status of the log migration.
    If you decide that you would like to end the log migration and continue with downgrade, you will need to gracefully power down the Panorama or Log Collector to avoid any data inconsistencies or data corruption. Alternatively, you can continuing to Step Downgrade each Log Collector running Panorama 8.0. to downgrade while the migration is running. This will ensure that the appliance is powered down gracefully. Please note that not all data will have been migrated, meaning that only some data will be available upon downgrade.
    The migration takes approximately 24 hours for each 2TB of data. You can monitor progress during the downgrade process.
    You can continue to push configuration changes to your managed firewalls during the migration. You cannot push configuration changes to a Log Collector that is undergoing a log format migration.
    1. Access the Panorama CLI.
    2. Check the status of the migration:
      • On Panorama with a local Log Collector or on a Dedicated Log Collector:
      request logdb downgrade-in-progress
      • On Panorama for each Collector Group:
      request logdb downgrade-in-progress <collector-group-name>
    It takes roughly 30-40 minutes after you start the migration before these commands display an output. When they do display output, the result is Logger downgrade in progress if the migration is still in progress. If the migration is finished (or was interrupted or was not started), the command displays No logger downgrade is in progress.
  8. Downgrade each Log Collector running Panorama 8.0.
    1. Check Now for available images (PanoramaDevice DeploymentSoftware).
    2. Locate the Panorama 7.1 image. If the image is not already downloaded, then Download it (Action column).
    3. After the download completes, Install the image on each Log Collector running Panorama 8.0. Select Reboot device after install to automatically reboot the device when the upgrade has completed.
  9. Downgrade Panorama.
    1. Check Now for available images (PanoramaDevice DeploymentSoftware).
    2. Locate the Panorama 7.1 image. If the image is not already downloaded, then Download it.
    3. After the download completes, Install the image on Panorama.
    4. Reboot Panorama if the downgrade requires that:
      • If prompted to reboot, click Yes. If you see a CMS Login prompt, press Enter without typing the username or password. When the Panorama login prompt appears, enter the username and password you set during initial configuration.
      • If you are not prompted to reboot, select PanoramaSetupOperations and click Reboot Panorama in the Device Operations section.
  10. Re-enable log forwarding from the firewalls to Log Collectors.
    If you disabled log forwarding in Step Before downgrading a Log Collector, disable log forwarding to that Log Collector to avoid losing the log data during migration., you will need to re-enable log forwarding once the downgrade has completed for Panorama and Log Collectors. All logs that would have been sent during the procedure will be forwarded to the appropriate Log Collector.
    For Panorama in Panorama Mode:
    1. Select PanoramaSetupInterfaces and select Management.
    2. Change the IP Address back to the original IP address.
    3. If a dedicated port on Panorama is used for log forwarding, select the port and enable Device Management and Device Log Collection. Repeat this for all dedicated ports used for log forwarding.
    4. Commit to Panorama.
    5. Log back in to Panorama using the original IP address.
    6. Select Push to Devices and Edit Selections. You will need to Deselect All Device Groups and Templates, and Select All Collector Groups. Click OK and Push.
      For Panorama with logs forwarded to Dedicated Log Collectors undergoing downgrade:
    7. Select PanoramaManaged Collectors, select a Dedicated Log Collector that underwent downgrade from Panorama 8.0 and select Interfaces.
    8. Select Management and change the IP Address back to the original IP address and click OK.
    9. If a dedicated port on Panorama is used for log forwarding, select the port and enable Device Management and Device Log Collection. Repeat this for all dedicated ports used for log forwarding.
    10. Click OK to exit the configuration screen and Commit to Panorama.
    11. Select Push to Devices and Edit Selections. You will need to Deselect All Device Groups and Templates, and Select All Collector Groups. Click OK and Push.

Related Documentation